AWS mini project - Web Identity Federation
Introduction
After setting up many SAML integrations in my previous role, I thought it’s about time to create my own web identity federation system, with a view to host a few serverless applications behind this login page eventually. Firstly a timesheet logging page, with users/projects/time-codes, then a few lambda functions to start/stop any EC2s in my environment.
I was inspired recently by Adrian Cantrill’s advanced mini project and also the epic games social login system, quite an impressive list of choices!
Stage 1
Ok, loading a simple YAML into cloudFormation, simple, just need a little time for cloudfront to become active. This one will be at https://d1quoeddwd14ae.cloudfront.net.
Stage 2
Ok, pointing a google project at cloudfront, this is where I’d like to start adding in my custom domain. As my domain is hosted in CloudFlare for DNS and Pages, a few extra steps will be needed to first generate an ACM certificate, then I can add my domain to cloudfront. For now, webapp will be used as a subdomain, adding the ACM CNAME without proxy in CloudFlare should do the trick.
Next, after a short walk with my dog, the ACM has been validated, so now CloudFront will allow me to add this domain, as I have proven ownership. Next to add my domain into google cloud project - “Authorized JavaScript origins”. I also updated the behaviour from HTTPS only, to redirect HTTP to HTTPS. webapp.ncaldwell.com.au
Stage 3
This is the cognito side of things, adding a policy from the cloudFormation stack to Cognito_WebApp_Auth_Role, straight forward.
Stage 4
Download s3 files, one at a time to avoid a zip file. Move to a directory and open that directory with VS CODE. Adrian has clearly labelled what needs to be updated, so it’s a breeze to add the required IDs.
If you try your subdomain before adding it to cloudflare, like me, on windows go to a powershell prompt and run “ipconfig /flushdns”. If you have a bad DNS result, the quickest option is to try on another device. :)
Stage 5
Success!
Conclusion
A great demo and a great intro to having your own web identity federation, linking Google to AWS resources. Next I plan to add microsoft, all possible with cognito identity pools.